Is the general counsel the ringmaster managing risk effectively within their organisation, or a stage prompt waiting in the wings? These were the main discussion points of a recent panel debate before an audience of more than 40 senior in-house lawyers gathered together at Eight Members Club in Moorgate.
Introducing the key findings, DAC Beachcroft partner Ben Daniels noted that more than 120 in-house counsel responded to the survey in early 2017 and there were some striking results, notably that over half (54%) said they were not on the committee that deals with risk management within their organisations. The research also ranked the departments in-house legal teams liaised with the most on risk. Top of the list came the traditional functions: finance, HR and the office of the COO but, surprisingly, IT was bottom.
‘Why is that?’ Daniels questioned. ‘Something else we found in the survey was that second top of the list of risk concerns of GC is cybersecurity. There is a disconnect there if IT is actually the department that we are liaising with the least.’
Turning to the panel, Clare Wardle, GC of Coca-Cola European Partners was surprised that so few respondents were on risk committees: ‘I am not quite sure how they manage if they do not attend. I suppose it depends a little bit on the definition of the risk committee. If it is a board committee, they may not be a member if board members are directors, but I should still expect the GC to attend.’
As group GC and company secretary at Serco, David Eveleigh argued that it is a challenge for GCs, who do not attend the board, whereas the company secretary usually does. ‘Once you are there, they see the value of your participation, absolutely. In relation to the risk committee if one of your closest colleagues is not the risk officer, it is going to make the role difficult. They should absolutely want you beside them.’
Eveleigh added that having non-executive directors on the board that understand the need for a GC to be involved in risk management is also a way in, as they can then ask the chair why the GC is not on a committee or board. ‘Some lawyers wait to be asked. I would make the role a key assurance and control and therefore a risk if the GC is not present.’
If the risk committee is influential, why would you not be there?
Sharon Harris, Ultra Electronics
As for the in-house lawyer’s role in risk management, Ultra Electronics’ GC and company secretary Sharon Harris said that in the role of GC and/or company secretary, you are not a lawyer; you are a business person with a set of skills and experiences.
‘How did I end up with risk? In fairness, I was the person most vocal in criticising how we did it and upset people, making them feel uncomfortable. It is about getting people interested in risk, and that is a tough sell. They will think: “We manage projects, and there are risks in projects”. Yes, but do we? It is about breaking it down.’
She added that GCs and company secretaries are independent, unfettered by the silo of finance and the pressure to hit the numbers. ‘We could be very compliant as a business but earn no money; that is not good either. We have got to own the fact that we bring these skills and take advantage of it in our position. If the risk committee is influential and a forum for where decisions are made, why would you not be in attendance?’
‘When you are a member of the group executive, you are not there just to be a lawyer. If you are there just to be a lawyer, then you should be shot,’ said Wardle. ‘The executive needs someone who can see the whole spectrum. It is important to think about managing risks with a really close eye on the business and reputational impacts, having a voice beyond “we are compliant with the law”.’
The key from a risk perspective is to demonstrate that you are adding value to the business and one way to achieve this, according to Eveleigh, is to verify risk controls… and leave the office. ‘What are you doing to assure yourself and therefore the board that the risk control or mitigation is being followed through? How do you do the assurance of risk mitigation? How do you ensure that somebody, even at the first line, is giving a monkey’s about this stuff? Have you seen a risk report? Have you seen a risk register? Have you tested that against what the insurance says? Have you triaged as to what that means from an operational perspective? Do that occasionally and it will help as well as giving you visibility.’
Maaike de Bie, Royal Mail Group: Managing risk has to work with the company’s culture.
Maaike de Bie, legal chief of the Royal Mail Group, said the GC is one of the best suited to the role as they can ‘connect dots for people’. ‘It is something that practically we all should be doing all of the time, as well as asking those more probing questions. Most people on the ground do know what their risks are, but they might not want to volunteer unless you ask them questions.’
Wardle agreed that is an important reason why the GC is not a bad place to put risk, because they get that overview of what the impact is. ‘In operations, finance, or HR, they may know they have got a risk. You can see that a commercial plan is going to have massive operational consequences, or the identified operations risk is going to have massive HR consequences, and you can join those dots.’
She added that the flipside of any risk, if it is managed well, is it can create an opportunity. ‘In your committee, do not just say, “Goodness, this is going to cost us £200m”. Say: “If we do this better than any other company, we can also exploit the opportunity that has opened up.” People will then buy in to your committee in a way that they will not if you just say: “Yes, that is terrible!”
One subject that came up frequently in the discussion was identifying individuals in the business who are willing to drive compliance. This is something that de Bie said is in place at Royal Mail and could be translated across to risk.
‘When I started and I talked about risk or risk appetite, a few people looked at me like I spoke Swahili. I am in an ex-public sector company and its prime focus or language was never risk; it was about delivering a great service. Now we are a plc, but we still have the same people. It is not like all of a sudden a magic switch comes on.
It depends where you are and in what sector. In a non-financial sector if you say “risk appetite”, you might need to explain what you mean by that.’
The chief risk officer is an obvious candidate as a risk champion, acting as a conduit for protocols between legal, compliance and the board. However, as Harris points out, it is not the job title but the person in the role that is important. The risk champions across various Ultra divisions are commercial and the view is that they will not be permanent. They do not do it full-time – they will take that experience, go back to the business and share it. ‘That is important for getting the idea of risk spread around the business. The concept of a risk and compliance manager just brings the wrong connotations. The real role for this person is to agitate, to question, to be out there talking to people. It should not just be with a view to being able to prevent, but being able to maximise.’
Another key element to training risk champions is to avoid scenarios where you assume sole responsibility for everything risk-related. Asking for help externally – especially from your auditors and insurers – can be vital, according to Eveleigh and Wardle.
‘If you are in charge of risk, make sure that people do not think you are therefore responsible for everything that goes wrong,’ said Wardle.
Recognising that all functions are under time and cost pressure, Wardle suggested leveraging auditors’ expertise. ‘If you do not have a good structure that helps you set out your principal risks, how you report against them, how to sort out your risk appetite etc – your auditors do. They can give you a standard framework to get you started and help you understand how to customise to fit your company. Your auditors can be incredibly helpful in that space.’
But in communicating risk, one area that can cause problems is the use of jargon, one reason why Harris believes that in-house respondents to the survey had lower levels of engagement with IT compared to other functions handling risk. Another way of saying, ‘What is your risk appetite?’ is: ‘What are you worried about?’’ and then people then see it in a different way.
David Eveleigh, Serco: Increased focus on data will deepen the relationship between in-house legal and IT.
Eveleigh believes the relationship between in-house legal and IT is only going to deepen from a risk perspective, because of increasing focus on data and increased regulatory pressures such as the EU’s General Data Protection Regulation (GDPR). ‘There is a risk that companies primarily focus on cybersecurity but that is just a subset of data security and a there are clearly a broader range of things that companies should be doing to comply with the GDPR. That relationship with the chief information officer, or chief technology officer, or whatever they are called is just going to increase as a result. Most companies are focusing at various levels of maturity on GDPR. I see that as an opportunity.’
One final question from the floor asked the panel that if risk mitigation can be achieved through improved quality, and assuming quality is linked to the culture of an organisation, should you try to influence the culture to manage risk?
De Bie concluded that addressing culture was core to managing a lot of risk management. ‘We look at compliance a lot. It is not about coming down with a bunch of rules and saying, “Thou shalt do this; thou shalt do that”. It is making it real, linking it to our values, and understanding what your company stands for. What your company stands for will be different from what another company does. You cannot go too fast and too far away from culture. As they say, culture will have strategy for breakfast. You can try whatever you like at the top to change, but it will not happen if that is not what the belief is within the company.’